SlideShare a Scribd company logo

Message Authentication and Hash Function.pdf

sunil sharma
sunil sharma

This document discusses message authentication techniques. It covers message authentication requirements such as preventing disclosure, modification, and repudiation of messages. It then describes various message authentication functions including hash-based MACs like HMAC, block cipher-based MACs like CMAC, and authenticated encryption modes like CCM and GCM. It also covers key wrapping and pseudorandom number generation using hash functions and MACs. The goal of message authentication codes and authenticated encryption is to verify that messages come from the alleged source and have not been altered.

Education
1 of 38
Download to read offline
Message Authentication Code 2015.03.30 임 형 진 Email: imhj9121@gmail.com SeoulTech UCS Lab
Table of Contents 1. Message Authentication Requirements 2. Message Authentication Functions 3. Requirements for Message Authentication Code 4. Security of MACs 5. MACs Based on Hash Functions:HMAC 6. MACs Based on Block Ciphers: DAA and CMAC 7. Authenticated Encryption:CCM and GCM 8. Key Wrapping 9. Pseudorandom Number Generation Using Hash Functions and MACs 2
Message Authentication Requirements (1/2) • 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. • 2. Traffic analysis: Discovery of the pattern of traffic between parties • 3. Masquerade: Insertion of messages into the network from a fraudulent source. • 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. • 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. • 6. Timing modification: Delay or replay of messages. • 7. Source repudiation: Denial of transmission of message by source. • 8. Destination repudiation: Denial of receipt of message by destination. 3
Message Authentication Requirements (2/2) • a procedure to verify that received messages come from the alleged source and have not been altered. • verify sequencing and timeliness. • A digital signature is an authentication technique that also includes measures to counter repudiation by the source. 4
Message Authentication Functions (1/10) Autenticator may be grouped into three classes. • Hash function: A function that maps a message of any length into a fixedlength hash value, which serves as the authenticator • Message encryption: The ciphertext of the entire message serves as its authenticator • Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator 5
Message Authentication Functions (2/10) 6 Symmetric Encryption A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the plaintext of the message. In addition, B is assured that the message was generated by A M M E D Key Key E(K, M) Source Destination
Message Authentication Functions (3/10) 7 M M E D PUb PRb E(PUb, M) Source A Destination B Public-key Encryption (1/3) Public-Key encryption: confidentiality The source (A) uses the public key PUb of the destination (B) to encrypt M. Because only B has the corresponding private key PRb, only B can decrypt the message. Provides no authentication, because any opponent could also use B’s public key to encrypt a message and claim to be A.
Message Authentication Functions (4/10) Public-key Encryption (2/3) The message must have come from A because A is the only party that possesses PRa and therefore the only party with the information necessary to construct ciphertext that can be decrypted with PUa. 8 M M E D PRa PUa E(PRa, M) Source A Destination B Public-Key encryption: authentication and signature
Message Authentication Functions (5/10) Public-key Encryption (3/3) • To provide both confidentiality and authentication, A can encrypt M first using its private key, which provides the digital signature, and then using B’s public key, which provides confidentiality. The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised four times rather than two in each communication 9 M E E PRa PUa E(PRa, M) Source A Destination B Public-Key encryption: confidentiality, authentication, and signature M D D PRb PUa E(PRa, M) E(PUb, E(PRa, M))
Message Authentication Functions (6/10) Message Authentication Code (1/5) • This technique assumes that two communicating parties, say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key MAC = C(K, M) • M = input message • C = MAC function • K = shared secret key • MAC = message authentication code 10
Message Authentication Functions (7/10) Message Authentication Code (2/5) 11 M M C K Source A Destination B C(K, M) C K Compare Message authentication
Message Authentication Functions (8/10) Message Authentication Code (3/5) 12 M M C K1 E(K2, [M||C(K1, M)]) Message authentication and confidentiality: authentication tied to plaintext E K2 M C(K, M) C K1 Compare D K2
Message Authentication Functions (9/10) Message Authentication Code (4/5) 13 M C K1 C(K1, E(K2, M)) E K2 M C K1 Compare D K2 E(K2, M) Message authentication and confidentiality: authentication tied to ciphertext
Message Authentication Functions (10/10) Message Authentication Code (5/5) • There are a number of applications in which the same message is broadcast to a number of destinations • An exchange in which one side has a heavy load and cannot afford the time to decrypt all incoming messages. • The computer program can be executed without having to decrypt it every time, which would be wasteful of processor resources. 14
Requirements for Message Authentication Codes • If an opponent observes M and MAC(K, M), it should be computationally infeasible for the opponent to construct a message M such that MAC(K, M) = MAC(K, M) • MAC(K, M) should be uniformly distributed in the sense that for randomly chosen messages, M and M, the probability that MAC(K, M) = MAC(K, M) is 2-n, where n is the number of bits in the tag. • Let M be equal to some known transformation on M. That is, M = f(M). For example, f may involve inverting one or more specific bits. In that case, Pr [MAC(K, M) = MAC(K, M)] = 2-n 15
Security of MACs • Brute-Force Attacks – Computation resistance: Given one or more text-MAC pairs [xi, MAC(K, xi)], it is computationally infeasible to compute any text- MAC pair [x, MAC(K, x)] for any new input x≠xi. – the level of effort for brute-force attack on a MAC algorithm can be expressed as min(2k, 2n) – k: key length – n: number of MAC bits • Cryptanalysis – That is, an ideal MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort. 16
MACs Based on Hash Functions:HMAC (1/6) • There has been increased interest in developing a MAC derived from a cryptographic hash function – Cryptographic hash functions such as MD5 and SHA generally execute faster in software than symmetric block ciphers such as DES. – Library code for cryptographic hash functions is widely available. • HMAC – issued as RFC 2104, – has been chosen as the mandatory-to-implement MAC for IP security – is used in other Internet protocols, such as SSL 17
MACs Based on Hash Functions:HMAC (2/6) • HMAC Design Objectives (RFC 2104) – To use, without modifications, available hash functions. – To allow for easy replaceability of the embedded hash function – To preserve the original performance of the hash function – To use and handle keys in a simple way – To have a well understood cryptographic analysis 18
MACs Based on Hash Functions:HMAC (3/6) • HMAC(K,M) = H[(K+ ⊕ opad) ∥ H[(K+ ⊕ ipad) ∥M]] • H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) • IV = initial value input to hash function • M = message input to HMAC (including the padding specified in the embedded • hash function) • Yi = i th block of M, 0 … i … (L - 1) • L = number of blocks in M • b = number of bits in a block • n = length of hash code produced by embedded hash function • K = secret key; recommended length is Ú n; if key length is greater than b, the • key is input to the hash function to produce an n-bit key • K+ = K padded with zeros on the left so that the result is b bits in length • ipad = 00110110 (36 in hexadecimal) repeated b/8 times • opad = 01011100 (5C in hexadecimal) repeated b/8 times 19
MACs Based on Hash Functions:HMAC (4/6) 1. Append zeros to the left end of K to create a b-bit string K+ 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si. 3. Append M to Si. 4. Apply H to the stream generated in step 3. 5. XOR K+ with opad to produce the b-bit block So. 6. Append the hash result from step 4 to So. 7. Apply H to the stream generated in step 6 and output the result. 20
MACs Based on Hash Functions:HMAC (5/6) • Efficient Implementation of HMAC 21
MACs Based on Hash Functions:HMAC (6/6) • Security of HMAC – the probability of successful attack on HMAC is equivalent to one of the following attacks on the embedded hash function.  The attacker is able to compute an output of the compression function even with an IV that is random, secret, and unknown to the attacker  For a hash code length of 128 bits, this requires 264 observed blocks (272 bits) generated using the same key.  if speed is a concern, it is fully acceptable to use MD5 rather than SHA-1 as the embedded hash function for HMAC. 22
MAC s Based on Block Ciphers: DAA and CMAC (1/3) • Data Authentication Algorithm (DAA) – (FIPS PUB 113) and an ANSI standard – Security weaknesses in this algorithm have been discovered – using the cipher block chaining (CBC) mode of operation of DES • Cipher-Based Message Authentication Code (CMAC) – use with AES and triple DES • AES; key length: 128, 192, 256bit. Block size: 128bit • Triple-DES; key length: 112 or 168bit. Block size: 64bit – NIST 800-38B 23
MAC s Based on Block Ciphers: DAA and CMAC (2/3) 24 • Data Authentication Algorithm (DAA)
MAC s Based on Block Ciphers: DAA and CMAC (3/3) • Cipher-Based Message Authentication Code (CMAC) 25
Authenticated Encryption: CCM and GCM (1/7) • Authenticated encryption: AE – simultaneously protect confidentiality and authenticity (integrity) of communications. • Four common approaches to providing both confidentiality and encryption for a message M. – Hashing followed by encryption (H->E) • First compute the cryptographic hash function over M as h = H(M). • Then encrypt the message plus hash function: E(K, (M} h)) – Authentication followed by encryption (A->E) • First authenticate the plaintext by computing the MAC value as T = MAC(K1, M). • Then encrypt the message plus tag: E(K2, [M||T ]). – Encryption followed by authentication (E->A) • First encrypt the message to yield the ciphertext C = E(K2, M). • Then authenticate the ciphertext with T = MAC(K1, C) to yield the pair (C, T). – Independently encrypt and authenticate (E+A). • Encrypt the message to yield the ciphertext C = E(K2, M). • Authenticate the plaintext with T = MAC(K1, M) to yield the pair (C, T). 26
Authenticated Encryption: CCM and GCM • Counter with Cipher Block Chaining-Message Authentication Code – a variation of the encrypt-and-MAC approach to authenticated encryption. – AES, CTR, CMAC – A single key K is used for both encryption and MAC algorithms. 27 Authenticated Encryption: CCM and GCM (2/7)
Authenticated Encryption: CCM and GCM ( 28 Authenticated Encryption: CCM and GCM (3/7) Authentication of CCM
29 Authenticated Encryption: CCM and GCM (4/7) • Encryption of CCM
Authenticated Encryption: CCM and GCM (5/7) • Galois/Counter Mode – standardized by NIST in NIST SP 800-38D – designed to be parallelizable so that it can provide high throughput with low cost and low latency. – the message is encrypted in variant of CTR mode – GHASH, which is a keyed hash function, and GCTR, which is essentially the CTR mode 30 GHash
Authenticated Encryption: CCM and GCM (6/7) • GCTRK 31
Authenticated Encryption: CCM and GCM (7/7) • Galois Counter—Message Authentication Code 32
Key Wrap (1/3) • Most recent block cipher mode of operation defined by NIST – Uses AES or triple DEA as the underlying encryption algorithm • Purpose is to securely exchange a symmetric key to be shared by two parties, using a symmetric key already shared by these parties – The latter key is called a key encryption key (KEK) • Robust in the sense that each bit of output can be expected to depend in a nontrivial fashion on each bit of input • Only used for small amounts of plaintext 33
Key Wrap (2/3) • Key Wrap 34 Key Wrapping Operation for 256-bit Key
Key Wrap (3/3) 35
Pseudorandom Number Generation Using Hash Functions and MACs (1/2) • The essential elements of any pseudorandom number generator – Seed value – Deterministic algorithm for generating a stream of pseudorandom bits 36 PRNG using cryptographic hash function PRNG using HMAC
Pseudorandom Number Generation Using Hash Functions and MACs (2/2) 37 m = [n/outlen] w0 = V W = the null string For i = 1 to m wi = MAC(K, wi-1) W = W||wii Return leftmost n bits of W m = [n/outlen] W = the null string For i = 1 to m wi = MAC(K, (V|| i)) W = W||wi Return leftmost n bits of W m = [n/outlen] A(0) = V W = the null string For i = 1 to m A(i) = MAC(K, A(i - 1)) wi = MAC(K, (A(i) }V) W = W||wi Return leftmost n bits of W NIST SP 800-90 IEEE 802.11i TLS/WTLS
Q & A 38

Recommended

2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
Barani Tharan
 
Meessage authentication and hash functions.pptx
Meessage authentication and hash functions.pptxMeessage authentication and hash functions.pptx
Meessage authentication and hash functions.pptx
JohnLagman3
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithms
daxesh chauhan
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
Prince Rachit
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
Prateek Pandey
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 

Recommended

2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
Barani Tharan
 
Meessage authentication and hash functions.pptx
Meessage authentication and hash functions.pptxMeessage authentication and hash functions.pptx
Meessage authentication and hash functions.pptx
JohnLagman3
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithms
daxesh chauhan
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
Prince Rachit
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
Prateek Pandey
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
Image compression
Image compression Image compression
Image compression
GARIMA SHAKYA
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
UTD Computer Security Group
 
Ch14
Ch14Ch14
Ch14Francis Alamina
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Ch9
Ch9Ch9
Ch9
Mahender Kumar
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated Encryption
Sam Bowne
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
Adarsh Patel
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
Chirag Patel
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography
rinnocente
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
Srishti Ahuja
 
Message AUthentication Code
Message AUthentication CodeMessage AUthentication Code
Message AUthentication Code
Keval Bhogayata
 
Cryptography
CryptographyCryptography
Cryptography
amiable_indian
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
zahid-mian
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
MACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block CiphersMACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block Ciphers
Maitree Patel
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
ArthyR3
 

More Related Content

What's hot

Image compression
Image compression Image compression
Image compression
GARIMA SHAKYA
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
UTD Computer Security Group
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Ch9
Ch9Ch9
Ch9
Mahender Kumar
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated Encryption
Sam Bowne
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
Adarsh Patel
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
Chirag Patel
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography
rinnocente
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
Srishti Ahuja
 
Message AUthentication Code
Message AUthentication CodeMessage AUthentication Code
Message AUthentication Code
Keval Bhogayata
 
Cryptography
CryptographyCryptography
Cryptography
amiable_indian
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
zahid-mian
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 

What's hot (20)

Image compression
Image compression Image compression
Image compression
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Ch14
Ch14Ch14
Ch14
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Ch9
Ch9Ch9
Ch9
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated Encryption
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
 
Message AUthentication Code
Message AUthentication CodeMessage AUthentication Code
Message AUthentication Code
 
Cryptography
CryptographyCryptography
Cryptography
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 

Similar to Message Authentication and Hash Function.pdf

MACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block CiphersMACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block Ciphers
Maitree Patel
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
ArthyR3
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
ArthyR3
 
Information and data security cryptography and network security
Information and data security cryptography and network securityInformation and data security cryptography and network security
Information and data security cryptography and network security
Mazin Alwaaly
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3koolkampus
 
Message Authentication Requirement-MAC
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MAC
Sou Jana
 
Cryptography and network_security
Cryptography and network_securityCryptography and network_security
Cryptography and network_security
Janani Satheshkumar
 
Cns
CnsCns
Cns
ArthyR3
 
Unit 3
Unit 3Unit 3
Unit 3
tamil arasan
 
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORKUNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
jeevasreemurali
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
omarShiekh1
 
unit - III.pptx
unit - III.pptxunit - III.pptx
unit - III.pptx
sandyBS
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
Ram Dutt Shukla
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
chauhankapil
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
SomuPatil8
 
15 ma cs and signatures
15 ma cs and signatures15 ma cs and signatures
15 ma cs and signaturesdrewz lin
 

Similar to Message Authentication and Hash Function.pdf (20)

MACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block CiphersMACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block Ciphers
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Information and data security cryptography and network security
Information and data security cryptography and network securityInformation and data security cryptography and network security
Information and data security cryptography and network security
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3
 
Message Authentication Requirement-MAC
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MAC
 
Cryptography and network_security
Cryptography and network_securityCryptography and network_security
Cryptography and network_security
 
Cns
CnsCns
Cns
 
Unit 3
Unit 3Unit 3
Unit 3
 
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORKUNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
UNIT3_class (1).ppt CRYPTOGRAPHY NOTES AND NETWORK
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
 
unit - III.pptx
unit - III.pptxunit - III.pptx
unit - III.pptx
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Hash Function
Hash FunctionHash Function
Hash Function
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Ch11
Ch11Ch11
Ch11
 
15 ma cs and signatures
15 ma cs and signatures15 ma cs and signatures
15 ma cs and signatures
 

Recently uploaded

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
timhan337
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 

Recently uploaded (20)

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 

Message Authentication and Hash Function.pdf

  • 1. Message Authentication Code 2015.03.30 임 형 진 Email: imhj9121@gmail.com SeoulTech UCS Lab
  • 2. Table of Contents 1. Message Authentication Requirements 2. Message Authentication Functions 3. Requirements for Message Authentication Code 4. Security of MACs 5. MACs Based on Hash Functions:HMAC 6. MACs Based on Block Ciphers: DAA and CMAC 7. Authenticated Encryption:CCM and GCM 8. Key Wrapping 9. Pseudorandom Number Generation Using Hash Functions and MACs 2
  • 3. Message Authentication Requirements (1/2) • 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. • 2. Traffic analysis: Discovery of the pattern of traffic between parties • 3. Masquerade: Insertion of messages into the network from a fraudulent source. • 4. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. • 5. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. • 6. Timing modification: Delay or replay of messages. • 7. Source repudiation: Denial of transmission of message by source. • 8. Destination repudiation: Denial of receipt of message by destination. 3
  • 4. Message Authentication Requirements (2/2) • a procedure to verify that received messages come from the alleged source and have not been altered. • verify sequencing and timeliness. • A digital signature is an authentication technique that also includes measures to counter repudiation by the source. 4
  • 5. Message Authentication Functions (1/10) Autenticator may be grouped into three classes. • Hash function: A function that maps a message of any length into a fixedlength hash value, which serves as the authenticator • Message encryption: The ciphertext of the entire message serves as its authenticator • Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator 5
  • 6. Message Authentication Functions (2/10) 6 Symmetric Encryption A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the plaintext of the message. In addition, B is assured that the message was generated by A M M E D Key Key E(K, M) Source Destination
  • 7. Message Authentication Functions (3/10) 7 M M E D PUb PRb E(PUb, M) Source A Destination B Public-key Encryption (1/3) Public-Key encryption: confidentiality The source (A) uses the public key PUb of the destination (B) to encrypt M. Because only B has the corresponding private key PRb, only B can decrypt the message. Provides no authentication, because any opponent could also use B’s public key to encrypt a message and claim to be A.
  • 8. Message Authentication Functions (4/10) Public-key Encryption (2/3) The message must have come from A because A is the only party that possesses PRa and therefore the only party with the information necessary to construct ciphertext that can be decrypted with PUa. 8 M M E D PRa PUa E(PRa, M) Source A Destination B Public-Key encryption: authentication and signature
  • 9. Message Authentication Functions (5/10) Public-key Encryption (3/3) • To provide both confidentiality and authentication, A can encrypt M first using its private key, which provides the digital signature, and then using B’s public key, which provides confidentiality. The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised four times rather than two in each communication 9 M E E PRa PUa E(PRa, M) Source A Destination B Public-Key encryption: confidentiality, authentication, and signature M D D PRb PUa E(PRa, M) E(PUb, E(PRa, M))
  • 10. Message Authentication Functions (6/10) Message Authentication Code (1/5) • This technique assumes that two communicating parties, say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key MAC = C(K, M) • M = input message • C = MAC function • K = shared secret key • MAC = message authentication code 10
  • 11. Message Authentication Functions (7/10) Message Authentication Code (2/5) 11 M M C K Source A Destination B C(K, M) C K Compare Message authentication
  • 12. Message Authentication Functions (8/10) Message Authentication Code (3/5) 12 M M C K1 E(K2, [M||C(K1, M)]) Message authentication and confidentiality: authentication tied to plaintext E K2 M C(K, M) C K1 Compare D K2
  • 13. Message Authentication Functions (9/10) Message Authentication Code (4/5) 13 M C K1 C(K1, E(K2, M)) E K2 M C K1 Compare D K2 E(K2, M) Message authentication and confidentiality: authentication tied to ciphertext
  • 14. Message Authentication Functions (10/10) Message Authentication Code (5/5) • There are a number of applications in which the same message is broadcast to a number of destinations • An exchange in which one side has a heavy load and cannot afford the time to decrypt all incoming messages. • The computer program can be executed without having to decrypt it every time, which would be wasteful of processor resources. 14
  • 15. Requirements for Message Authentication Codes • If an opponent observes M and MAC(K, M), it should be computationally infeasible for the opponent to construct a message M such that MAC(K, M) = MAC(K, M) • MAC(K, M) should be uniformly distributed in the sense that for randomly chosen messages, M and M, the probability that MAC(K, M) = MAC(K, M) is 2-n, where n is the number of bits in the tag. • Let M be equal to some known transformation on M. That is, M = f(M). For example, f may involve inverting one or more specific bits. In that case, Pr [MAC(K, M) = MAC(K, M)] = 2-n 15
  • 16. Security of MACs • Brute-Force Attacks – Computation resistance: Given one or more text-MAC pairs [xi, MAC(K, xi)], it is computationally infeasible to compute any text- MAC pair [x, MAC(K, x)] for any new input x≠xi. – the level of effort for brute-force attack on a MAC algorithm can be expressed as min(2k, 2n) – k: key length – n: number of MAC bits • Cryptanalysis – That is, an ideal MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort. 16
  • 17. MACs Based on Hash Functions:HMAC (1/6) • There has been increased interest in developing a MAC derived from a cryptographic hash function – Cryptographic hash functions such as MD5 and SHA generally execute faster in software than symmetric block ciphers such as DES. – Library code for cryptographic hash functions is widely available. • HMAC – issued as RFC 2104, – has been chosen as the mandatory-to-implement MAC for IP security – is used in other Internet protocols, such as SSL 17
  • 18. MACs Based on Hash Functions:HMAC (2/6) • HMAC Design Objectives (RFC 2104) – To use, without modifications, available hash functions. – To allow for easy replaceability of the embedded hash function – To preserve the original performance of the hash function – To use and handle keys in a simple way – To have a well understood cryptographic analysis 18
  • 19. MACs Based on Hash Functions:HMAC (3/6) • HMAC(K,M) = H[(K+ ⊕ opad) ∥ H[(K+ ⊕ ipad) ∥M]] • H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) • IV = initial value input to hash function • M = message input to HMAC (including the padding specified in the embedded • hash function) • Yi = i th block of M, 0 … i … (L - 1) • L = number of blocks in M • b = number of bits in a block • n = length of hash code produced by embedded hash function • K = secret key; recommended length is Ú n; if key length is greater than b, the • key is input to the hash function to produce an n-bit key • K+ = K padded with zeros on the left so that the result is b bits in length • ipad = 00110110 (36 in hexadecimal) repeated b/8 times • opad = 01011100 (5C in hexadecimal) repeated b/8 times 19
  • 20. MACs Based on Hash Functions:HMAC (4/6) 1. Append zeros to the left end of K to create a b-bit string K+ 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si. 3. Append M to Si. 4. Apply H to the stream generated in step 3. 5. XOR K+ with opad to produce the b-bit block So. 6. Append the hash result from step 4 to So. 7. Apply H to the stream generated in step 6 and output the result. 20
  • 21. MACs Based on Hash Functions:HMAC (5/6) • Efficient Implementation of HMAC 21
  • 22. MACs Based on Hash Functions:HMAC (6/6) • Security of HMAC – the probability of successful attack on HMAC is equivalent to one of the following attacks on the embedded hash function.  The attacker is able to compute an output of the compression function even with an IV that is random, secret, and unknown to the attacker  For a hash code length of 128 bits, this requires 264 observed blocks (272 bits) generated using the same key.  if speed is a concern, it is fully acceptable to use MD5 rather than SHA-1 as the embedded hash function for HMAC. 22
  • 23. MAC s Based on Block Ciphers: DAA and CMAC (1/3) • Data Authentication Algorithm (DAA) – (FIPS PUB 113) and an ANSI standard – Security weaknesses in this algorithm have been discovered – using the cipher block chaining (CBC) mode of operation of DES • Cipher-Based Message Authentication Code (CMAC) – use with AES and triple DES • AES; key length: 128, 192, 256bit. Block size: 128bit • Triple-DES; key length: 112 or 168bit. Block size: 64bit – NIST 800-38B 23
  • 24. MAC s Based on Block Ciphers: DAA and CMAC (2/3) 24 • Data Authentication Algorithm (DAA)
  • 25. MAC s Based on Block Ciphers: DAA and CMAC (3/3) • Cipher-Based Message Authentication Code (CMAC) 25
  • 26. Authenticated Encryption: CCM and GCM (1/7) • Authenticated encryption: AE – simultaneously protect confidentiality and authenticity (integrity) of communications. • Four common approaches to providing both confidentiality and encryption for a message M. – Hashing followed by encryption (H->E) • First compute the cryptographic hash function over M as h = H(M). • Then encrypt the message plus hash function: E(K, (M} h)) – Authentication followed by encryption (A->E) • First authenticate the plaintext by computing the MAC value as T = MAC(K1, M). • Then encrypt the message plus tag: E(K2, [M||T ]). – Encryption followed by authentication (E->A) • First encrypt the message to yield the ciphertext C = E(K2, M). • Then authenticate the ciphertext with T = MAC(K1, C) to yield the pair (C, T). – Independently encrypt and authenticate (E+A). • Encrypt the message to yield the ciphertext C = E(K2, M). • Authenticate the plaintext with T = MAC(K1, M) to yield the pair (C, T). 26
  • 27. Authenticated Encryption: CCM and GCM • Counter with Cipher Block Chaining-Message Authentication Code – a variation of the encrypt-and-MAC approach to authenticated encryption. – AES, CTR, CMAC – A single key K is used for both encryption and MAC algorithms. 27 Authenticated Encryption: CCM and GCM (2/7)
  • 28. Authenticated Encryption: CCM and GCM ( 28 Authenticated Encryption: CCM and GCM (3/7) Authentication of CCM
  • 29. 29 Authenticated Encryption: CCM and GCM (4/7) • Encryption of CCM
  • 30. Authenticated Encryption: CCM and GCM (5/7) • Galois/Counter Mode – standardized by NIST in NIST SP 800-38D – designed to be parallelizable so that it can provide high throughput with low cost and low latency. – the message is encrypted in variant of CTR mode – GHASH, which is a keyed hash function, and GCTR, which is essentially the CTR mode 30 GHash
  • 31. Authenticated Encryption: CCM and GCM (6/7) • GCTRK 31
  • 32. Authenticated Encryption: CCM and GCM (7/7) • Galois Counter—Message Authentication Code 32
  • 33. Key Wrap (1/3) • Most recent block cipher mode of operation defined by NIST – Uses AES or triple DEA as the underlying encryption algorithm • Purpose is to securely exchange a symmetric key to be shared by two parties, using a symmetric key already shared by these parties – The latter key is called a key encryption key (KEK) • Robust in the sense that each bit of output can be expected to depend in a nontrivial fashion on each bit of input • Only used for small amounts of plaintext 33
  • 34. Key Wrap (2/3) • Key Wrap 34 Key Wrapping Operation for 256-bit Key
  • 36. Pseudorandom Number Generation Using Hash Functions and MACs (1/2) • The essential elements of any pseudorandom number generator – Seed value – Deterministic algorithm for generating a stream of pseudorandom bits 36 PRNG using cryptographic hash function PRNG using HMAC
  • 37. Pseudorandom Number Generation Using Hash Functions and MACs (2/2) 37 m = [n/outlen] w0 = V W = the null string For i = 1 to m wi = MAC(K, wi-1) W = W||wii Return leftmost n bits of W m = [n/outlen] W = the null string For i = 1 to m wi = MAC(K, (V|| i)) W = W||wi Return leftmost n bits of W m = [n/outlen] A(0) = V W = the null string For i = 1 to m A(i) = MAC(K, A(i - 1)) wi = MAC(K, (A(i) }V) W = W||wi Return leftmost n bits of W NIST SP 800-90 IEEE 802.11i TLS/WTLS